Wednesday, October 31, 2012

Each month, Taia Global's Science and Technical Intelligence Flash Traffic brief looks at key R&D projects in any one of 14 nation state's research facilities including those of Russia and China. Tomorrow, November 1st, we will feature some key projects being worked on of the Russian Federation's premier universities (Moscow Engineering Physics Institute - MEPHI) who specializes in information security with customers in the Ministry of Defense and the Security Services.

An additional area of coverage in tomorrow's report will be two key labs in China - the Key Lab for Intelligent Networks and Network Security and the Key Lab of Aerospace Information Security and Trusted Computing.

If you believe as I do, that threat intelligence isn't just about malware signatures then I'd like to invite you to become a subscriber to this service. You can buy a single issue for $65 or subscribe for the year for $500. Annual subscribers will also receive free copies of the Russian Federation Information Security Framework 2011 and 2012. Thanks for your support.

U.S. Secretary of Defense Leon Panetta said in a speech in New York City on October 11, 2012 that “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President.” This is known as active defense and its a strategy that China had adopted back in the mid-90’s when the PLA decided to mount a revolution in military affairs in order to confront the U.S. military’s new network-centric warfare doctrine.

Recent military writings published in the journal China Military Science continue to emphasize the need for an active defense:[1]

“While post-emptive moves are a self-defensive strategy of defense upon which our military must insist in the opening of war, it is not an effective way to seize the initiative on the informatized battlefield. To achieve the goal of seizing the initiative, the art of controlling war situations in the initial stage of combat must emphasize active offense, striving to dominate the enemy by capturing early moments of opportunities and conquering the enemy in early battles.”
“[O]ur military’s seizure of early moments of opportunities to dominate the enemy by conducting offensive operations cannot be separated from the basic requirements of active defense.”

According to Timothy L. Thomas[2], the author of many books on both Chinese and Russian Informatized Warfare, an informatized offense is part of China’s active defense plan. This is best described in a 2005 article published in Chinese Military Science “Systems of Military Strategy in the Information Age” about which Thomas writes:[3]

“The primary objective consists of paralyzing an opponent’s strategic command systems to introduce the deterrence function. The five steps to this process are striking at an opponent’s strategic command system, their economic foundations, that nation’s transportation infrastructure, the human resources of the country (especially reserve personnel), and the armed strength of the country in question.”

This 5-part strategy was refined in 2011 in a paper written by Ye Zheng and Zhao Baoxian, “How Do You Fight a Network War?”[4] wherein the authors detailed the following 5 operational forms:

Network intelligence

Network paralysis

Network defense

Network psychology

Network-electromagnetic integration

Finally, Major General Dai Qingmin, author of New Perspectives on War[5], wrote about the need to expand an information attack beyond combat systems to include the enemy’s critical infrastructure (financial, transportation, communication, and power).System of Systems
In 2010, Chairman Hu Jintao used the phrase “System of Systems” in describing priorities in strategy and planning for the Peoples Liberation Army[6]. Unfortunately, the exact meaning of the phrase is difficult to determine. It isn’t a concept that’s unique to China. U.S. military writers used the phrase as early as the mid-90’s.[7] Tim Thomas dedicated a chapter in his book to exploring this important topic but wasn’t able to come to a clear distinction between what it means for the PLA versus the U.S. Armed Forces. Thomas quotes one PLA research fellow who said the difference came down to “capabilities and objectives” between the two nations.

In this author’s opinion, the phrase System of Systems as used by Chinese military theorists refers to an over-arching strategy that assumes network dependence by both sides and seeks to gain control over a greater system within which network-centric warfare is a subset. One example might be the dependence that critical DOD bases have upon the public power grid. The local energy provider will be a much softer target than the military base and the base is most likely entirely dependent upon it. Another example of a System of Systems strategy may be corrupting the supply chain that provides the integrated circuitry used in weapons systems. The bottom line is that when faced with a superior adversary, you don’t attack the adversary directly. You attack the systems which sustain him.

Active Defense Workshop at Suits and Spooks DC
This blog post comes from the research that I've been doing for my next book "Assumption of Breach" which will feature a chapter on Active Defense. I'll also be conducting a one hour workshop at Suits and Spooks DC on Feb 8-9, 2013 which examines active defense in Chinese and Russian military theory. Hopefully, Dr. Thomas will get approval from DoD to speak as well. He's been invited - confirmation is pending. Registration is limited so I encourage you to sign up early.

Friday, October 26, 2012

10 years ago in October 2002, a National Intelligence Estimate (NIE) was produced whose findings concluded that Iraq had Weapons of Mass Destruction. In February, 2003, SECSTATE Colin Powell addressed the U.N. Security Council on that same subject. His remarks were based entirely on source material vetted by intelligence analysts. That speech was the U.S. case - and his case - for going to war against Iraq. On March 19, 2003, the U.S. invaded Iraq for reasons that later proved false.

Now we seem to be laying the political groundwork for yet another war in the Middle East - this time against Iran. While there's no doubt that Iran wants to acquire nuclear weapons, there's a lot of doubt regarding how close that is to happening. Iran has only been successful at enriching low levels of uranium at low amounts. It's certainly a serious problem and one that needs addressing but it's not in and of itself sufficient cause to go to war over yet. So let's pile on another layer of threat - Iran's capability to cause a "cyber Pearl Harbor" or the cyber equivalent of "9/11". In order to underscore those threats, Secretary Panetta pointed to two recent cyber attacks: the DDoS attacks against major U.S. banks allegedly performed by an Iranian hacktivist group that no one had ever heard of before, and the Shamoon attacks against Saudi Aramco and RasGas which the Secretary referred to as a "very sophisticated virus". In reality, Shamoon is neither a virus nor sophisticated. It was a quick and dirty piece of malware (a worm), probably reverse-engineered from the original Wiper (not Flame) that struck at Iran's oil ministry back in April. Half of its functionality didn't even work properly due to a coding error. And the DDoS attacks were most likely the work of an Eastern European criminal gang who specialize in banking attacks and decided to mask this one with an Iranian hactivist false flag.

The bottom line on Iran is that both its Uranium enrichment and its cyber warfare capabilities are not fully developed. There are lots of other countries, including the U.S. its allies, and some adversary states who are far more advanced than Iran in both of those categories. While it's certainly possible that at some point in the future the West will have no choice but to go to war with Iran, we aren't there yet and certainly not for the reasons given by Secretary Panetta. I have nothing but respect for the current Administration but I cannot in good conscience watch a repeat - or what even smells like a repeat - of the 2002-2003 build-up to war with Iraq happen a second time. Not while I have a voice and an opportunity to try to stop it by calling out errors in facts when I see them.

Wednesday, October 24, 2012

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order.

1. Iran makes a threat to SA - Don't increase your oil production.

2. SA ignores the threat and increases production anyway.

3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.

2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone?

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other". That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Monday, October 22, 2012

Between SECDEF Panetta signaling Iran and other states that the U.S. won't tolerate increased cyber attacks without a response and the increasing impatience on the part of the private sector of being legally restrained from doing anything when they see their stolen data sitting on a foreign server, I predict that the most important cyber topic of 2013 will be active defense. In fact, we had a lively discussion about this very topic last Thursday at Suits and Spooks Boston.

In order to provide a forum where the various implications of taking offensive action under the umbrella of active defense can be explored, debated, and tested, I've decided to dedicate our next Suits and Spooks event to this critical area. I've also expanded it from a single day to a two-day event that will feature hands-on labs in addition to plenary sessions. And unlike SNS Boston, journalists will be welcome at SNS DC 2013.

Two speakers and one lab that are already lined up include Dr. Boldizsar Bencsath, director of the Laboratory of Cryptography and System Security, Budapest who's lab first discovered DuQu, Richard Bejtlich, the Chief Security Officer of Mandiant, and via IRC in one of our labs - th3j35t3r (hacktivist for good). Dr. David Bray, who had been earlier announced, may have a conflict on either of those days so his may be a last minute appearance. Many more speakers and labs will be announced in the coming weeks.

It will be held in the same venue as our February 2012 event - The Waterview Conference Center; a spectacular space overlooking the Potomac river and the Capital from the 24th floor. I'm inviting both national and international experts to participate and am open to your suggestions for the types of labs that you'd like to participate in as well as receiving inquires from companies who'd like to be a sponsor.

As is our custom, attendance will be capped at 100. I've set up a super early bird rate in order to help keep your costs associated with attending low. Considering the controversial nature of this topic in combination with its criticality, I expect fully expect this event to sell-out. See you in DC.

Suits and Spooks DC: Offense as Defense

February 8-9, 2013 at the Waterview Conference Center, Arlington, VA

Featuring plenary and breakout sessions (labs)

Two Continental breakfasts

Two lunches

A free signed copy of my new book "Assumption of Breach: A New Security Paradigm" (O'Reilly Media, 2013)

Registration:
Super Early Bird $225.00 (until November 9, 2012)
Early Bird $395.00 (until January 9, 2013)
Standard $595.00 (until February 7 or when the event is sold-out)

Wednesday, October 17, 2012

In an important speech on Thursday night, Defense Secretary Leon Panetta spoke about how the Department of Defense has improved capabilities to protect the U.S. against the threat of a catastrophic cyber attack; that if such an attack were imminent, the U.S. would strike first. While this statement was clearly mean't to deliver a message to Iran which featured prominently in the Secretary's remarks, the U.S. lacks the technical ability to deliver on that threat.

According to the Law of Armed Conflict, a nation state must be under imminent threat of an attack which will cause grievous harm to its populace before it can launch a pre-emptive strike in self defense. Rather than a traditional kinetic attack, Secretary Panetta specifically referred to a cyber attack by "an aggressor nation or extremist group [who] could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals". The Secretary went on to say that "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President".

The fact is however that neither the NSA nor any other agency has the ability to identify a malicious program that was custom-written to target an industrial control system before the attack occurs. It cannot "see" such a program traveling across the Internet backbone assuming that were the delivery method. More likely, as in the case of Stuxnet, Shamoon, and other malware, it would be hand-carried onto the target's premises and inserted via removable media into a networked computer which bypasses the capabilities of any NSA-run signals intelligence program to identify it.

Even if we had the ability to discern the purpose and target of malware in-transit, we'd also have to know which nation state was behind it. Although Secretary Panetta claimed that DoD has made "significant advances" in determining attribution, there's ample reason to doubt that statement - the most obvious being the Secretary's own words that "DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." Anonymity has provided much of the impetus for the increasing number of automated and targeted attacks against the U.S. and other countries. Those attacks are on the rise because anonymity remains intact.

U.S. offensive cyber warfare capabilities are second to none, but in the words of General Peter Pace, the former Chairman of the Joint Chiefs of Staff, we cannot defend against what we send out, and since what we have sent out (like Stuxnet) is being reverse-engineered, we should re-think whether our being in a weak defensive state is really the best time to be running offensive cyber operations in the first place.

Tuesday, October 16, 2012

I'm very pleased to be able to announce that I'll be speaking at The New York Military Affairs Symposium in New York City this Friday, October 19th with renowned historian Dr. John Prados. If you're in the city or close by, please attend and introduce yourself. My portion of the evening will include a discussion of China's use of Active Defense as part of its informatized warfare strategy (China doesn't use the term "cyber warfare"). I'll also include comments on SECDEF's recent speech, Iran's cyber operations, and the attack against Saudi Aramco's facility.

Also, if you're in or near the Boston area, it's not too late to register for Suits and Spooks. Dale Peterson of Digital Bond's talk on how to simultaneously compromise multiple power facilities is going to blow everyone away, and rather than hearing whispers about Israel's cyber capabilities, a former IDF hacker will tell you first hand how he and a red team would run a full spectrum (cyber and kinetic) offensive op against a power plant. The full agenda and registration info can be seen at the above link. Don't miss this one.

Friday, October 12, 2012

U.S. Secretary of Defense Leon Panetta gave a speech on Thursday, October 11, 2012 at the Business Executives for National Security (BENS) Eisenhower Award dinner in New York City where he made the following statement:

In addition to defending the Department’s networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses. The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex:the difficulty of identifying the origins of an attack. Over the last two years, the Department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments. Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.

With great respect for our former Director of Central Intelligence, now SECDEF, I don't believe that we're anywhere near being able to identify sophisticated adversaries in cyberspace that extends beyond being able to give code names to anonymous hacker groups or recognizing certain TTPs. For one thing, five seconds before Secretary Panetta made the above remarks he said "Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day." So clearly if we have "made significant advances to link our cyber adversaries to an attack" and we're still fending off thousands of cyber actors probing DoD networks every day, then someone didn't get the memo!

In fairness, the Secretary didn't say that we are able today to solve the attribution problem. He said that we're making "significant advances" which is too nebulous a phrase to have a fact-based discussion about. The reason why I'm skeptical is because attribution is the kind of hard challenge that DOD farms out to private contractors, who sub-contract that work out to specialists at boutique security firms and I know a lot of those firms. They're all still focused on finding an answer by focusing on the forensics, and the answer won't ever be found through pure forensic research. Why? Because everything that we know about forensics is also known by our adversaries thanks to 900 security cons held worldwide annually and because our adversaries in cyberspace are highly skilled.

It's also ironic that while the SECDEF talks about our growing ability to deter through attribution, that it was the U.S. who was caught conducting a cyber-sabotage operation against Iran's Natanz nuclear fuel enrichment plant, and is suspected in two other high profile cyber attacks (DuQu and Flame). If anyone has demonstrated their ability to disguise their own cyber attacks while attributing the attacks of others, it would be Russia. Many of the U.S. security companies who promote their ability to identify bad guys to the DOD and IC never seem to catch Russia doing anything, yet Kaspersky Labs produces report after report post-Stuxnet on malware that seems to have originated with the U.S. Perhaps we could solve our attribution problem by hiring more Russian security engineers.

Tuesday, October 9, 2012

I'm very pleased to announce that Sean McBride, co-founder of Critical Intelligence, is our latest speaker at Suits and Spooks Boston. With Sean's addition, we'll have the most aggressive set of talks on how to take down critical infrastructure that I've ever seen at any security conference. Here's a summary of Sean's presentation:

Title: OSINT analysis of U.S. capabilities to attack industrial control systems

Critical Intelligence provides industrial control systems (ICS) security stakeholders with actionable intelligence pertinent to protecting information assets that operate physical critical infrastructure. This presentation, which fuzes official military doctrine, state department leaks and sanction lists, control system vendor forum comments, online resumes, and traditional news reports, represents the most comprehensive OSINT effort to characterize the capabilities of the United States government to attack ICS undertaken to date.

Before coming to Critical Intelligence, Sean instituted and led the situational awareness effort for the Department of Homeland Security (DHS) Control Systems Security Program (CSSP) at the Idaho National Laboratory (INL).

The complete agenda and registration information for Suits and Spooks Boston is here. We only have a few seats remaining so register today and don't miss this opportunity to get no FUD, in-depth, solid information on offensive tactics against CI.

Monday, October 1, 2012

My firm, Taia Global, has launched a new monthly report called S&TI (Science and Technical Intelligence) Flash Traffic Monthly Brief, and today the first issue went out to our subscribers. We use foreign language search and country experts to do a monthly round-up of high priority research and development projects underway in 14 nation states: Brazil, Bulgaria, China, France, Germany, India, Iran, Israel, The Netherlands, Romania, Russia, South Korea, Taiwan, and Ukraine.

In this inaugural issue, we covered the six states mentioned in the title. Here's a sampling of some of the projects that we reported on:

Brazil is auctioning off-shore oil leases if foreign companies will open and fund R&D labs in Brazil's technology corridor.

South Korea plans to produce indigenously-developed surface-to-air guided missiles next year

The October issue is now available for $42.50, or you may contact us for information on on our annual subscription. It's a condensed report, fully sourced, delivered in plain text via your email inbox.